Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 2284d3532184670e284b9c5c9d97392c12c3b9fe^! / . / private / isolated_app.te
commit2284d3532184670e284b9c5c9d97392c12c3b9fe[log] [tgz]
authorRobert Sesek <rsesek@google.com>Thu Jan 09 18:17:30 2020 -0500
committerRobert Sesek <rsesek@google.com>Thu Jan 16 10:14:21 2020 -0500
tree2f3e4c49a3213e14ee513ce9197c8f261c038453
parent0b099c801d19437058f04e7a29c1061de827ba41 [diff] [blame]
Allow isolated_app to use TCP and UDP sockets brokered over IPC.

This will let an app delegate network operations to an
isolatedProcess=true service. Chromium will use this to separate out
network protocol parsing of untrusted Internet data from the main app
process into a sandboxed service process.

Bug: 147444459
Test: Build and boot sargo. Chromium runs.
Change-Id: Ia7f54d481676a03b96f512015e6adcf920a014c3

diff --git a/private/isolated_app.te b/private/isolated_app.te
index 15c0f3f..49e9065 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te

@@ -13,6 +13,10 @@
 # Access already open app data files received over Binder or local socket IPC.
 allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
 
+# Allow access to network sockets received over IPC. New socket creation is not
+# permitted.
+allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
+
 allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;
 allow isolated_app webviewupdate_service:service_manager find;
@@ -130,7 +134,7 @@
 # excluding unix_stream_socket and unix_dgram_socket.
 # Many of these are socket families which have never and will never
 # be compiled into the Android kernel.
-neverallow isolated_app self:{
+neverallow isolated_app { self ephemeral_app priv_app untrusted_app_all }:{
   socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
   key_socket appletalk_socket netlink_route_socket
   netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket